Lesson Learned from building the Azure Let's Encrypt Site Extension
Global Azure Bootcamp 2019 - Copenhagen
Simon J.K. Pedersen
@simped / mail@sjkp.dk
Quick Intro
- Azure Web Apps
- Site Extensions
- SSL Certificates
- Let's Encrypt
How many uses Azure Web Apps - with a custom domain?
are you paying for your SSL certificate?
Why did I build it
personal challenge/learning oppotunity
Learnings
- Azure Web Apps behind the scenes
- Moving on from the site-extension approach (Functions and ACI)
- Using Key Vault and ARM templates
Azure Web Apps
- So many application frameworks are used
- Some people have massive deployments
- Web Jobs in site-extensions.....
- Server farms/app service plans and their location
- Not all scale units are created equal
- Deploy from ZIP/read-only disk
- KUDU API
- Traffic manager
Moving on
- Avoid support when people mess up the web job
- Avoid support when working with Service Principals
- Support other azure services
- Azure CDN
- Azure API Management
- Azure Functions
- Better security (KeyVault)Az
Attempt #1
- Make an API
- Host the API in the site-extension
- Let people call the API from Azure Functions/Logic Apps
- More trouble for the user
- Why even use site-extension
Attempt #2
- make a nuget
- let people do it themselves
- and some did ...
Attempt #3
- Wait for Microsoft to do it...
Attempt #4
- Found certes (https://github.com/fszlin/certes)
- Rewrite to .net core (so we can use Azure Function v2 and docker)
- Support wildcard
- Realize a lot of DNS providers are VERY slow at propagating DNS changes
- Use Managed Service Identity
- Use KeyVault
Demo Time
Architecture
KeyVault and ARM Templates
- Existing Resources (different resource groups)
- Azure DNS
- Azure Web App
- What we want to deploy
- KeyVault
- Azure Function (Storage Account & App Service Plan)
- Managed Service Identity
- App Settings
- Application Insights
- Role Assignments to Managed Service Identity
Managed Service Identity
Key Vault Access to MSI
Save secrets in Vault
Reference Secrets
Role Assignments
Link
Lesson Learned from Build Let's Encrypt Azure Site Extension
By Simon J.K. Pedersen
Lesson Learned from Build Let's Encrypt Azure Site Extension
- 973